Solved

Audit Failure event in security logs of Domain controller

Posted on 2010-09-23
11
826 Views
Last Modified: 2013-12-04
Hi,

I am checking some security event logs on the domain controller and what I am seeing is a lot of Audit failure logs. The surprising thing is that these audit failure events are coming from the only computers on the network which are on the same network BUT NOT ON DOMAIN. I am not sureif it is a particular type of bot or virus attack.

Any suggestions?
0
Comment
Question by:TheCommunicator
  • 5
  • 4
  • 2
11 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 200 total points
Comment Utility
It depends highly on what type of auditing is going on. Can you post one of the events, please?
0
 

Author Comment

by:TheCommunicator
Comment Utility
It says Login failed. It looks like somebody from this machines is trying to actually login to Domain controller. I am not sure whether this is for real or something else is being masked as Login failure.


I am attaching the snapshot

Audit-Failure.png
0
 
LVL 38

Assisted Solution

by:Adam Brown
Adam Brown earned 200 total points
Comment Utility
This site has some more detailed information on that event: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
This could be caused by a service account that is configured to run some software on the computers that are being reported having incorrect credentials. There are also a number of other reasons this could be showing up. Check the Substatus code and compare it to the ones listed at the link I gave and it should give you more information.
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Any persistent mappings from those systems using domain creds?

0
 

Author Comment

by:TheCommunicator
Comment Utility
Oh yes actually these computers browse to some of the folders on these servers.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 300 total points
Comment Utility
Id check for stored passwords, that are out of date....
0
 

Author Comment

by:TheCommunicator
Comment Utility
Can you please explain? stored password which are out of date?
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 300 total points
Comment Utility
If these non domain users have mappings that are done to your domain servers, then they might have stored passwords cached in their systems.....

start>run>control keymgr.dll

Check to see if any passwords exist for your servers on one of those systems....
0
 

Author Comment

by:TheCommunicator
Comment Utility
Well, i checked. They do not use any credential manager facility.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 300 total points
Comment Utility
Whats the Logon Type Code in your errors?

Logon Type Codes Revealed
http://www.windowsecurity.com/articles/Logon-Types.html

Will reveal mnore about the source of the failure....
0
 

Author Comment

by:TheCommunicator
Comment Utility
It is Logon type 3.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now